Stats show that bulletin count dropped this year

Dec 10, 2014 07:48 GMT  ·  By

The number of security bulletins released by Microsoft this year showed a slight improvement as compared to the previous year, which could be an indication that Redmond actually had fewer products to patch in 2014.

Statistics provided by Wolfgang Kandek, CTO of Qualys, reveal that this year Microsoft published a total of 85 bulletins for its software solutions, down from 106 in 2013 and from 100 in 2011.

While this minor improvement indeed points to a somewhat increased focus on software security this year, it's very important to note that it doesn't reflect the number of vulnerabilities found in Microsoft products, as a single bulletin can fix one or more flaws at the same time.

Internet Explorer still a leader

No statistics are provided in terms of apps that got patched, but it's a well-known fact that Internet Explorer is the Microsoft solution that gets new bulletins almost every single month, most of them rated as critical.

It's not a secret that the security of Internet Explorer is one of the reasons behind the growing criticism of the app, and there are users out there who describe this browser as the best tool to download Google Chrome or Mozilla Firefox. But in the end, Internet Explorer has really improved in the last few years and security is one of the areas where Microsoft has really invested a lot.

What's more, Windows 10 is very likely to come with a new Internet Explorer version boasting a revamped interface and features such as extension support, so the future seems a lot brighter for Microsoft's in-house browser.

As you can see in the chart provided by Qualys, the number of CVEs found in Internet Explorer increased in 2014 and June was clearly the month when a new record was reached.

“We saw Internet Explorer under intense scrutiny by security researchers leading to a large number of addressed CVEs, an effect which has only recently slowed down with Microsoft’s changes to the memory allocation process in IE,” Kandek explained.

This month alone brought us five patches supposed to fix Remove Code Execution flaws, which confirms the fact that this kind of vulnerability remains a serious issue for Microsoft users. In most of the cases, attackers who successfully exploit Microsoft software using an RCE flaw get the same privileges as the logged-on users and it's easy to imagine what happens after that.

We've reached out to Microsoft for more detailed statistics on the number of vulnerabilities fixed this year, so we'll publish an in-depth analysis when we have more information on this.

Windows and IE patches (6 Images)

Internet Explorer CVE's in 2014
Checking for updates on Windows 10Windows 10 Windows Update
+3more